Let’s talk about vulnerability analysis, vulnerability exploitation and vulnerability mining.
Preface
When it comes to security, we have to talk about vulnerabilities, and when it comes to vulnerabilities, we will inevitably talk about three mountains:
- Vulnerability analysis
- exploit
- Vulnerability mining
From the author's personal feeling, although these three are usually compatible and dependent on each other, the difficulty is not the same. This article talks about my experience and thoughts on these three respectively.
Vulnerability analysis
Vulnerability analysis is relatively simple. Usually, there are one or two sentences in the disclosed vulnerabilities that describe the cause of the vulnerability. You can get a rough idea by just pulling down the code and looking at it. For some bugs discovered by oneself, it is generally easier to reproduce and debug them from the crash log. Although some bugs are relatively tedious to troubleshoot, it is always possible to reduce the scope step by step and lock in the final target. Therefore, there are many articles on vulnerability analysis on the Internet. On the one hand, there are traces to follow in the analysis. On the other hand, the vulnerabilities analyzed are not necessarily your own "original" vulnerabilities, and the sources of materials are wider.
Although vulnerability analysis is simple, it is the only way for every security researcher. Just like the horse stance and plum blossom stance in martial arts training, they are basic skills accumulated over time. When I was studying the kernel, I was keen on writing articles on vulnerability analysis for a while. Later, as I became more proficient, the speed of writing articles and records could no longer keep up with the progress of the analysis, so now I am often too lazy to write.
Basic skills are essential, but no matter how stable the Zama Bu is, it does not mean that you can stand alone in the martial arts world. A big boss once said that if he wanted to, he could write several analysis articles a day without repeating the same thing. After all, the purpose of vulnerability analysis is to learn, absorb, transform, learn from history, and ultimately form your own unique understanding.
exploit
Vulnerability exploitation is relatively complicated, especially for binary vulnerabilities. Successful exploitation requires a sophisticated memory layout, so a good understanding of the data structures involved in the program is required. And not all vulnerabilities can be converted into effective exploits. Generally, vulnerabilities that are easier to write and exploit are called good ones . For loopholes that are not in good condition, I prefer to call them bugs . Of course, some people think that the bug at least caused the program to crash, so it can be regarded as a DoS (denial of service) vulnerability.
Of course, whether a vulnerability can be exploited actually depends on people. For complex systems, vulnerabilities that you think cannot be exploited can be successfully exploited by big guys in a way that you did not expect. For example, the Android CVE-2019-2025 (water droplet) vulnerability belongs to a conditional competition in Binder, and the competition window only has a few assembly instructions. The vulnerability is in quite bad condition, and even the Exploitability Score given by CVSS is only 1.8. However, 360’s bosses have also stably exploited it by playing with the scheduler to escalate privileges.
Therefore, there are far fewer articles about vulnerability exploitation. On the one hand, for the sake of responsible disclosure of security issues, security researchers will not give complete exploit details to avoid abuse by script kiddies; on the other hand, for public exploits, you can't just write an article to fill them in, after all, the idea of exploitation is In many cases, it varies from person to person. Too much similarity will inevitably lead to the suspicion of making the same thing, unless there are some original thoughts to add, or new ideas for use.
Many times, articles about vulnerability exploitation turn into 漏洞利用分析articles, which also shows that vulnerability exploitation is quite difficult.ÿ